[UNIX] WordPress Cafelog SQL Injection Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 10/09/03

  • Next message: SecuriTeam: "[NEWS] Fortigate Firewall Inadequate Log Filtering"
    To: list@securiteam.com
    Date: 9 Oct 2003 15:51:34 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WordPress Cafelog SQL Injection Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://wordpress.org/> WordPress is "a semantic personal publishing
    platform with a focus on aesthetics, web standards, and usability". The
    WordPress Cafelog has been found to contain an SQL Injection vulnerability
    due to its inadequate filtering of incoming user data.

    DETAILS

    Vulnerable Versions:
     * CVS versions before October 1, 2003
     * Vulnerability affects code inherited from b2, so all versions of
    WordPress released before CVS fix are affected and many versions of b2 are
    affected.

    A number of SQL injection vulnerabilities have been fixed that could allow
    arbitrary SQL to be injected if one has local access to the filesystem the
    database can access (using 'source filename.sql;'). ''', '"', '\' are all
    filtered, and ' ' is munged into SQL constructs before injection, so %09
    (tab char) can be used where spaces would normally be in the SQL string
    one wishes to inject. The problem affects the category (cat) and order by
    (order_by) code. The author (author) code was almost vulnerable, except
    for a small bug that mis-converted author to an integer before string
    processing. The problems are located in the blog.header.php file, and a
    patch is included below (provided by the authors) that fixes the
    vulnerabilities and includes general bug fixes and code cleanup. Any SQL
    string not including quotes or a backslash can be injected through the URL
    (i.e. 'drop table foo;').

    Patch:
    A patch is available for download from:
    <http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/cafelog/wordpress/blog.header.php.diff?r1=text&tr1=1.18&r2=text&tr2=1.21&diff_format=u

    Exploit:
    The following is an example URL:
    http://fresh.wordpress.org/index.php?cat=100)%09or%090=0%09or%09(0=1

    Exploit example exposes private posts. Dropping tables should be trivial,
    especially using the order_by flaw.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:seth@tautology.org> Seth
    Woolley.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NEWS] Fortigate Firewall Inadequate Log Filtering"

    Relevant Pages

    • [UNIX] Gallery Cross Site Scripting Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Gallery allows a remote attacker to inject and execute ... The cross site scripting injection can be done using the classical tag ...
      (Securiteam)
    • Multiple vulnerabilities in x-cart Gold
      ... Vulnerability mentions practically all parameters. ... The first mistake has been found in parameter "cat". ... Mistake SQL, and script forwards automatically on page ... We transfer a symbol "'" and as probably to make SQL - an injection. ...
      (Bugtraq)
    • [NEWS] Interact SQL Injection and Cross-Site Request Forgery
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Interact SQL Injection and Cross-Site Request Forgery ... Successful exploitation of this vulnerability allows e.g. retrieval of ... Apply the vendor's official patch for vulnerability #1: ...
      (Securiteam)
    • [Full-disclosure] [ GLSA 200508-21 ] phpWebSite: Arbitrary command execution through XML-RPC and SQL
      ... execution of arbitrary code and SQL injection. ... phpWebSite is a web site content management system. ... "matrix_killer" reported that phpWebSite is vulnerable to an SQL ... A malicious remote user could exploit this vulnerability to inject ...
      (Full-Disclosure)
    • [EXPL] ATutor links Blind SQL Injection / Admin Credentials Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability in ATutor allows remote attackers to inject arbitrary SQL ... echo "site: http://retrogod.altervista.org\n";; ... Other queries may be vulnerable to this kind of injection, ...
      (Securiteam)